There are password managers like KeePass which store all the passwords in a encrypted container on the local machine. I would have to copy this container over to other machines to be able to have my passwords there as well.

Then there are password managers which are essentially like KeePass but store the password container online.

And then there are algorithmic password generators which, based on a master password, create the password for the current visited website on the fly. Exampls for such online password managers are SupergenPass and PWDHash. All I need to carry around with me is a tiny bookmarklet (which gets synced across browsers) and the master password in my head.

What are the advantages or drawbacks, security wise, when using the online password managers of the 3rd category? Is there an online password manager which addresses these drawbacks while providing the advantages?

3 Answers
3

I personally like the hosted manager a bit better as long as the security is implemented properly. Take LastPass for example (my favorite), they don't store an un-hashed version of your master password so without deliberately cracking your passwords, even the site host can't access your information. This is of course only as good as your trust for the third party which is where the security concerns come into play. Long story short, as long as they don't keep an un-hashed copy of your password, I don't mind using the hosted password managers.

fine, but thats not what the question is essentially about. i mentioned the other 2 categories of password-managers just to explain the category i am interested in: do not store the password at all but "create" it on the fly.
–
akiraJul 10 '10 at 13:48

Using a hosted password manager means that your passwords are stored somewhere in the cloud, and somewhere nearby to that (in the code that creates/edits/uses them) is explicit instructions on how to decrypt them. Should the site be compromised, it wouldn't be hard to get access to thousands of accounts.

For that reason, I'm leery of online password managers. Personally, I use a solution that I made up for myself: I have an algorithm that is simple enough to run in my head, that generates a secure password (upper & lower case characters, numbers, and special characters) based on the domain name and my chosen username.

In addition, I try to use oAuth and OpenId wherever possible, so that I have less passwords to remember and can be more sure that the sites that DO have my password (e.g. Facebook, and my OpenId provider) are properly securing it (salt + hash, etc).

If I had to use a password storage utility of some sort, I would probably go with KeePass and store the encrypted file in Dropbox to sync between computers.

supergenpass and hashpwd do not store the passwords at all. they are "running an algorithm in jscript based on a master password, the site you are currently at and piping that thru md5"
–
akiraJul 1 '10 at 4:29

The way clipperz works is it encrypts/decrypts an encrypted blob that the server stores in javascript. This means that if your blob finds its way to an evil hacker they will not be able to decrypt it (if you decided on a reasonable password)

The code for it is open source, something that fills me with a bit more confidence cause I can audit it.

I would be less likely to use stuff like https://www.pwdhash.com/ cause it means that if I want to change my master password I will need to change it on all sites. Also it is less secure as if people know the rules I use to build the password they can brute force my master password.

if you decide to change a password for a site, you have to tell the site about it. if your master password for such hosted solution is compromised, you have to change the password for every site as well.
–
akiraJul 1 '10 at 4:31